The WannaCry ransomware campaign may have attracted a lot of media attention, but Locky ransomware presents a bigger threat to organizations with a new Locky ransomware campaign now a regular event. The ransomware was initially seen in February last year and quickly became the biggest ransomware threat. In recent times, Cerber has been extensively shared, but Locky is still being used in widespread attacks on groups.
Those responsible for Locky ransomware are constantly changing tactics to trick end users into installing the malware and encrypting their files.
The Necurs botnet has recently been used to share Jaff ransomware, although now that a decryptor has been produced for that ransomware variant, the actors to blame for Necurs have switched back to Locky. The new Locky ransomware campaign involves millions of spam messages being broadcast using the Necurs botnet, with some reports suggesting around 7% of global email volume at the start of the campaign came from the Necurs botnet and was spreading Locky.
The new Locky ransomware campaign deploys a new variant of the ransomware which does not encrypt files on Windows operating systems newer than XP. This appears to be a mistake, with new, updated version of the ransomware is expected to be released soon. As with previous campaigns, the latest batch of emails uses fake invoices to trick end users into downloading the ransomware.
Fake invoices are typically used to spread ransomware because they are highly successful. Even though these campaigns often include scant details in the email body, many end users open the attachments and enable macros. BY doing this user download Locky. There is still no free decryptor available to recover Locky-encrypted files. Infections can only be mitigated by paying a sizeable ransom payment or restoring files from backups.
Showing end users to be more security aware will help groups to minimize to reduce susceptibility to ransomware attacks, although the best security against email-based ransomware attacks is to use an advanced spam filtering solution to stop the messages from arriving in end users’ inboxes. If emails are obstructed blocked, there is little chance of end users opening malicious attachments and downloading the ransomware.